Missing PGP Validation in Gentoo Portage
CVE-2016-20021

9.8CRITICAL

Key Information:

Vendor: Gentoo
Status: Portage
Vendor: CVE Published:; 12 January 2024

What is CVE-2016-20021?

A vulnerability exists in Gentoo's Portage package management system that allows executed code to potentially run without proper PGP signature verification. This occurs specifically in the emerge-webrsync operation, which downloads a .gpgsig file but fails to validate its signature. As a result, users may inadvertently execute unverified code, posing a risk to system integrity and security. This vulnerability affects versions of Portage prior to 3.0.47, emphasizing the need for security measures and updates to protect Gentoo environments.

References

https://wiki.gentoo.org/wiki/Portage

https://gitweb.gentoo.org/proj/portage.git/tree/NEWS

https://bugs.gentoo.org/597800

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 12, 2024
Vulnerability Reserved
Jan 12, 2024